HTTP POST sent by WebExtension content script does not set Referer header and Origin header is null
Categories
(WebExtensions :: Untriaged, defect)
Tracking
(Not tracked)
People
(Reporter: feedbro.reader, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Steps to reproduce:
- Create a WebExtension that uses content_scripts setting in manifest.json and injects a content script at "document_start"
- In the injected content script create a XMLHttpRequest or fetch POST call to the same URL as the currently loaded page (tested on https://html.duckduckgo.com/html)
Actual results:
POST call does not have "Referer" header set at all
POST call has "Origin" header with value "null"
Expected results:
Referer header should be set (this works in Chrome)
Origin header should have proper value (this works in Chrome)
Comment 1•4 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'WebExtensions::Untriaged' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.
Comment 2•4 years ago
|
||
What do you consider to be a "proper" value? Did it work before?
Sounds like a duplicate of bug 1685570 , depending on what you're expecting.
Since you're performing a same-origin request, would using content.fetch
instead of fetch
offer the desired results? content.fetch
(or content.XMLHttpRequest
) in Firefox is the same as using the web page's XHR/fetch API (without special privileges) to send the request.
If the content script and related HTTP POST is run on page with URL https://html.duckduckgo.com/html, then the values for the headers should be:
Origin: https://html.duckduckgo.com
Referer: https://html.duckduckgo.com/html
I've never heard about content.fetch but I'll try it.
Oh! It works when using content.XMLHttpRequest. Hmm did something break recently regarding this?
var x;
if( window.content && window.content.XMLHttpRequest ) {
console.log("We are running on Firefox because content.XMLHttpRequest is available!");
x = new content.XMLHttpRequest();
}
else {
x = new XMLHttpRequest();
}
Comment 5•4 years ago
|
||
You can use mozregression
to determine whether this is a recent regression. Since you already have the test extension (and did not attach it here), can you run it and report back?
https://mozilla.github.io/mozregression/
https://mozilla.github.io/mozregression/quickstart.html
To me this smells like the same thing as bug 1685570.
Comment 7•4 years ago
|
||
Hello,
Can I be of any assistance regarding this?
Since the issue appears to be the same as https://bugzilla.mozilla.org/show_bug.cgi?id=1685570 can it be marked accordingly?
Thank you !
Comment 8•4 years ago
|
||
Hi Alex, it would be great if you can run mozregression to confirm whether this bug is the same as the other one.
Create an extension with the following source code for the content script and run it (e.g using the URL from the STR).
var x = new XMLHttpRequest();
x.open("POST", document.URL);
x.send();
Open the developer tools, network tab to inspect the request headers (Origin & Referer). If you loaded the page before opening the devtools, reload the page so that the request is captured in the devtools.
Comment 9•4 years ago
|
||
It appears it is the same regressor as in the case of https://bugzilla.mozilla.org/show_bug.cgi?id=1685570 i.e
2021-03-09T12:21:57.527000: DEBUG : Found commit message:
Bug 1605305 - Origin header field is not set to HTTP request in cases where it is required, r=ckerschb,necko-reviewers,JuniorHsu,valentin (https://bugzilla.mozilla.org/show_bug.cgi?id=1605305)
Differential Revision: https://phabricator.services.mozilla.com/D80905
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=3fd504b386e8751834f730b2ff5e6f12ab3d7e96&tochange=92d71744323a2cdd2eb06e9a8884d69d63b0a456
Comment 10•4 years ago
|
||
Thanks for the confirmation!
Description
•